Threat Actors Abuse LogMeIn Resolve and ScreenConnect in Multi-Stage Phishing Attacks

Home Cyber Security News Threat Actors Abuse LogMeIn Resolve and ScreenConnect in Multi-Stage Phishing Attacks A carefully crafted phishing campaign has been targeting organizations across the United States, using trusted remote monitoring and management (RMM) tools to slip past security defenses and gain unauthorized access to victim systems. Rather than deploying traditional malware at the outset, the threat actors behind this operation weaponized legitimate software — specifically LogMeIn Resolve and ScreenConnect — to quietly establish a foothold before moving deeper into compromised networks. The campaign appears to have begun as early as April 2025, with the bulk of malicious activity occurring between October and November of the same year. In total, more than 80 organizations across multiple industry sectors in the US were affected. Attackers initiated contact through phishing emails — some sent from compromised third-party accounts belonging to known and trusted contacts, making the messages appear credible, while others came from completely unknown senders. Many of these emails were designed to look like Punchbowl event invitations, carrying subject lines such as “SPECIAL INVITATION,” while others mimicked tender solicitation notices. Each email contained a link pointing to attacker-controlled distribution sites that hosted legitimate LogMeIn Resolve installers preconfigured to register the victim’s device to an account fully owned and controlled by the attacker. Sophos analysts and researchers identified and tracked this threat activity cluster as STAC6405. Their ongoing investigation revealed that the campaign’s distribution infrastructure shifted repeatedly over time, with the threat actor rotating between themed landing pages — including one mimicking Microsoft Teams and another styled after Norton security software — possibly to tailor delivery based on user location or browser attributes. A Norton-themed distribution website (Source – Sophos) The malicious installer files carried names carefully designed to appear routine, such as Invitation.exe, ContractAgreementToSign.exe, and statmtsPDF10.25.exe. An example of one of the malicious lures (Source – Sophos) Once a victim executed the downloaded file, the attacker gained unattended remote access through the LogMeIn Resolve platform. Following execution of the downloaded binary, LogMeIn Resolve is installed (Source – Sophos) The installed agent wrote a configuration file to disk with a hard-coded relay domain controlled by the attacker and registered a Windows service using a unique ID tied to that specific configuration. In most observed cases, the attack stopped at this point — threat actors appeared to remain idle after gaining initial access, a pattern commonly linked to initial access broker (IAB) operations, where stolen access is quietly sold on criminal marketplaces for further exploitation. Multi-Stage Payload Delivery In two incidents, however, the threat actors moved to a second stage very quickly. In the first case, they exploited a pre-existing installation of ScreenConnect — already running on the victim machine — to download a ZIP archive packed with the HeartCrypt Packer-as-a-Service tool. The archive held two files: HideMouse.exe, a utility that replaces the visible mouse cursor with a transparent one to conceal remote on-screen activity from the user, and 87766713.exe, a piece of malware that Sophos researchers assessed as behaviorally similar to ValleyRAT. Once executed, the infostealer sat idle for four to nine minutes — a deliberate delay designed to bypass sandbox analysis and heuristic detection tools — before injecting code into csc.exe, a legitimate Microsoft binary regularly abused as a living-off-the-land binary (LOLbin). The malware then connected to a command-and-control server and began harvesting browser-stored credentials, session tokens, cryptocurrency wallet data, and system details. An embedded encrypted payload was decrypted at runtime using TripleDES cryptography. In the second incident, the downloaded binary launched a ScreenConnect client as a service alongside a Java-based remote access tool, and the attacker began enumerating firewall rules before Sophos and the affected organization successfully contained the breach. Organizations should restrict software installations to an approved list, enforce strong credential hygiene through secure password managers or passkeys, and remove RMM tools like LogMeIn if they are not needed for daily business use. Unauthorized RMM tools should also be blocked through application control policies. Any URLs and indicators of compromise associated with this campaign should be blocked promptly across all network entry points. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security BlueHammer PoC for Windows Defender Exploited by Researchers to Escalate Privileges Cyber Security News Iran-Linked Hackers Launch Password Spray Campaign Against Microsoft 365 Tenants in Middle East Cyber Security News Microsoft Releases New Defender Update for Windows 11, 10, and Server Installation Images Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026